My Security Bounty
I maintain a standing bounty of $500 for anyone who discovers a serious vulnerability in my personal security. (If you're not particularly money-motivated, I also offer other rewards, such as you getting to prove you're smarter than me, my adding your name to the list of successful attacks at the end of this document, and/or your choice of other reasonable requests; just ask.) This bounty applies generally to every aspect of my life; my websites, my personal devices, my relationships and communications with other people, any information I would rather be kept secret, etc.
For my convenience, I will only guarantee payment via Paypal, Wise, or (reluctantly) whatever cryptocurrency is most convenient for me at the time. If you prefer another payment method I will consider it, but I reserve the right to refuse if it poses too much of a hassle.
Subject to the conditions below, you have my permission to exploit any active or passive avenue against me to demonstrate such a vulnerability, such as hacking my websites, lying to me, stealing my things, putting malware you control on my devices, sending phishing emails, politely asking companies to give you access to my accounts, planting physical devices, using social engineering to get my friends to divulge private information, etc. I am willing to pay out bounties without a live test, so long as I'm sufficiently convinced your attack would have worked had you attempted it.
A vulnerability must meet the following criteria to qualify for a bounty:
1. It has the potential to cause significant harm. For example, getting access to my main Facebook account would qualify, because a bad actor could use my reputation to scam my friends out of thousand of dollars. Getting access to a disused forum account I haven't touched in 15 years would likely not qualify. In the event you discover a vulnerability that falls short of this standard, I would still appreciate knowing about it, and would consider a partial bounty.
2. It is not already sufficiently handled by existing systems. For example, I am aware that someone could show up to my house with a gun and kill me, but I believe this is adequately disincentivized by the criminal penalties for doing so. As another example, I am aware that a malicious actor could DDOS my websites to take them offline, but I believe this is handled by the low probability of anyone caring much about them, and the fact that if they do I can add protection when it happens with no lasting impact. In general, you will receive a bounty only if I believe that mitigating action is necessary after you share your findings with me.
3. You must not actually cause any significant harm to myself or others. (Unless you previously get their consent.) For example, wasting a few minutes of my time with phishing emails is fine, but taking one of my public websites offline for more than a minute or two is not acceptable. My friends and family are generally reasonable people and likely won't mind if you lie to them in service of helping me discover such vulnerabilities, but I cannot guarantee this, and I may decline the bounty if you cause any of them significant distress and I don't think they're being unreasonable. If your testing of something of mine relates to a business with whom I am professionally involved, you must respect their policies as well.
4. You must explain fully how you performed the attack, including every detail I ask for. In the event that you are unwilling to share certain details, I will consider a reduced bounty provided you at least share enough details for me to mitigate the problem.
5. I have the chance to re-evaluate the situation in between each bounty. For example, if you discover 5 unrelated vulnerabilities, I will only guarantee the first $500. (In most cases I would pay the other $2000 as well, but am including this rider to prevent myself from potentially being subject to owing people arbitrarily large amounts of money.)
In general, you accept some subjectivity with regards to this offer, and trust that I will act in good faith. My intention is to reward those who discover information of value to me, and to not reward those who do not. You can see some examples below.
Record of past attempts:
In 2022 I posted a version of this challenge on Manifold Markets. Someone quickly found my home address, winning the challenge. Given the difficulty of hiding that information whilst using my real identity online, I now no longer consider my home address sensitive information.
In March 2025 I created this bounty page and posted it on r/pentesting. u/pldc_bulok noticed that my trivia controller let anyone submit strings to display on the trivia page, and these strings could contain Javascript, allowing for a trivial XSS attack. They also discovered the same thing on my other website RulesGuru's submission page. I paid out two full bounties for these findings.
u/pldc_bulok also reported some other things that did not qualify for a bounty:
- My blog's subscription emails could be spoofed. Disqualified as that's an inherent feature of all email, and my domain's SPF and DKIM records are correct.
- The lack of firewall on my VPS meant that my blog could be accessed directly via its local port rather than through the intended Nginx reverse proxy. Disqualified as no clear path to harm was demonstrated. (Though I did fix it afterwards.)
- My email subscription option does not confirm that the subscriber owns the address, which means anyone could sign up anyone else's email. Disqualified as my notification emails come with an "unsubscribe" button, which effectively accomplishes the same thing.
- There are some internal pages and API endpoints on my websites that can be found via scanning tools. Disqualified as they were all designed with this in mind and do not expose anything sensitive.
In October 2025 I ran a vibecoding experiment to create BlackOpsChess.com. Jim Hays discovered an XSS vulnerability where usernames were being parsed as HTML. He didn't ask, but this would not have qualified for a bounty, as the point of the experiment was to test out AI coding and the end result was expected to be buggy.
Also in October 2025, I shared this bounty with my friends on Facebook. Thomas Eisen submitted the following vulnerability in this bounty system: "I can tell you about the vulnerability described by this sentence, which requires you to pay me $500 for useless information." This however would cause me harm, failing point #3 above. It was was thus disqualified for a bounty.
